We’re currently investigating a new zero-day exploit that affects Internet Explorer versions 7, 8, and 9. The exploit, which is detected by Trend Micro as HTML_EXPDROP.II, is found to be hosted in {BLOCKED}.{BLOCKED}.104.149. Incidentally, this server also hosted the Java zero-day exploit reported last August 30.

Based on our initial analysis, when executed, HTML_EXPDROP.II drops a malicious .SWF file (SWF_DROPPR.II). The .SWF file then drops a backdoor detected as BKDR_POISON.BMN. More information the analysis will be posted in this entry.

Trend Micro Smart Protection Network™ blocks access to the malicious servers and detects the exploit and other malicious files. Watch this space for updates and additional analysis information.

Update as of September 18, 2012 6:11 AM PDT

We have identified a second attack that uses this zero-day exploit as well. BKDR_PLUGX.BNM — a variant of the recently discovered PlugX remote access tool (RAT), is the payload of this other attack. It has been demonstrated to have significant information theft and backdoor capabilities, and is used as a component of sophisticated information theft campaigns.

Microsoft has announced that an out-of-bound patch to resolve this vulnerability will be released on Friday, at 10AM PDT (5PM UTC). In the mean time, a workaround has also been added to the earlier bulletin.

While this vulnerability may have seen limited exploitation previously, we have seen more and more attacks exploit this security hole. This may have led Microsoft to decide to release a patch outside of the regular Patch Tuesday cycle.

Until the patch is released, the browser exploit prevention built into Titanium 2013 also protects users against exploits targeting this vulnerability.